Re: Proposal: Enabling unprivileged chroot by default

Reply: Ed Maste : "Re: Proposal: Enabling unprivileged chroot by default"
Reply: Olivier Certner : "Re: Proposal: Enabling unprivileged chroot by default"
In reply to: Ed Maste : "Proposal: Enabling unprivileged chroot by default"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Shawn Webb <shawn.webb_at_hardenedbsd.org>
Date: Tue, 05 Aug 2025 20:12:38 UTC

On Tue, Aug 05, 2025 at 10:57:17AM -0400, Ed Maste wrote:
> I would like to change the default value of the
> security.bsd.unprivileged_chroot sysctl from 0 (disabled) to 1
> (enabled). This will allow unprivileged users to invoke chroot(2)
> under constrained and secure conditions. See the recent "Non-root
> chroot" thread on freebsd-hackers@ for some more context.
> 
> **Background**
> Support for unprivileged chroot(2) was introduced before FreeBSD 14.0
> (and MFC'd for FreeBSD 13.1) via commit a40cf4175c90 ("Implement
> unprivileged chroot"), but disabled by default. This commit added:
> 
> - a sysctl security.bsd.unprivileged_chroot that must be set to 1
> - a check in chroot(2) that the NO_NEW_PRIVS procctl is set when
> called in an unprivileged context
> - a new chroot(8) flag -n to set the NO_NEW_PRIVS procctl
> 
> NO_NEW_PRIVS causes the kernel to ignore set-user-ID and set-group-ID
> bits, preventing the well-known confused deputy issues affecting
> chroot(2).

FYI: mac_do(4) needs to take NO_NEW_PRIVS into account. Patch in
HardenedBSD:
https://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/commit/ef712e6e4701c8c943d7e8a1c9b08e0ab93cb51a

Without that patch, an overly permissive mac_do(4) policy could result
in privilege escalation in the unprivileged chroot:

==== BEGIN LOG ====
hbsd-current-01[shawn]:/home/shawn $ sysctl security.bsd.unprivileged_chroot security.mac.do.rules
security.bsd.unprivileged_chroot: 1
security.mac.do.rules: uid=1001:uid=0
hbsd-current-01[shawn]:/home/shawn $ id
uid=1001(shawn) gid=1001(shawn) groups=1001(shawn),0(wheel),5(operator)
hbsd-current-01[shawn]:/home/shawn $ chroot -n /
Agent pid 19225
hbsd-current-01[shawn]:/ $ su -
su: not running setuid
hbsd-current-01[shawn]:/ (1) $ mdo -u root -i /bin/sh
# id
uid=0(root) gid=0(wheel) egid=1001(shawn) groups=1001(shawn),0(wheel),5(operator)
# ^D
hbsd-current-01[shawn]:/ $ id
uid=1001(shawn) gid=1001(shawn) groups=1001(shawn),0(wheel),5(operator)
hbsd-current-01[shawn]:/ $ 
==== END LOG ====

Thanks,

-- 
Shawn Webb
Cofounder / Security Engineer
HardenedBSD

Signal Username:  shawn_webb.74
Tor-ified Signal: +1 303-901-1600 / shawn_webb_opsec.50
https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/raw/master/Shawn_Webb/03A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc